Between 2008 and 2010, cyber criminals breached the computer networks of Wyndham Hotels & Resorts, stealing customer payment card data and initiating a legal battle with the Federal Trade Commission. The FTC claimed that Wyndham’s allegedly lax security practices violated Section 5(a) of the FTC Act, prohibiting “unfair or deceptive acts or practices.” Wyndham countered with a motion to dismiss, asserting, among other things, that the FTC’s “unfairness” authority does not confer jurisdiction over data security, particularly in the absence of binding FTC rules or guidance.

The first round of the battle has now ended in favor of the FTC. On April 7, 2014, the U.S. District Court for the District of New Jersey denied Wyndham’s motion to dismiss and affirmed FTC jurisdiction.

What happens now and where should the private sector attention be focused? In the absence of clear rules or guidance, how should companies proceed? How does FTC enforcement interact with congressional efforts to clarify agency authority over data security, and Executive Branch action on cyber?